Bug 1767483 (CVE-2019-10086) - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
Summary: CVE-2019-10086 apache-commons-beanutils: does not suppresses the class proper...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1767498 1772495 1772496 1776318 1777091 1781294 1781295 1781713 1781714 1781715 1781716 1781717 1782344 1782459 1782460 1782461 1782462 1809370 1809371
Blocks: 1767578 2014197
TreeView+ depends on / blocked
 
Reported: 2019-10-31 14:38 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
127 users (show)

Fixed In Version: apache-commons-beanutils 1.9.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.
Clone Of:
Environment:
Last Closed: 2019-12-18 20:09:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4317 0 None None None 2019-12-18 15:29:48 UTC
Red Hat Product Errata RHSA-2020:0057 0 None None None 2020-01-08 11:19:56 UTC
Red Hat Product Errata RHSA-2020:0194 0 None None None 2020-01-21 19:12:19 UTC
Red Hat Product Errata RHSA-2020:0804 0 None None None 2020-03-12 17:04:37 UTC
Red Hat Product Errata RHSA-2020:0805 0 None None None 2020-03-12 17:06:02 UTC
Red Hat Product Errata RHSA-2020:0806 0 None None None 2020-03-12 17:01:43 UTC
Red Hat Product Errata RHSA-2020:0811 0 None None None 2020-03-12 17:00:43 UTC
Red Hat Product Errata RHSA-2020:0899 0 None None None 2020-03-18 17:37:36 UTC
Red Hat Product Errata RHSA-2020:0951 0 None None None 2020-03-23 20:13:57 UTC
Red Hat Product Errata RHSA-2020:1308 0 None None None 2020-04-02 16:32:22 UTC
Red Hat Product Errata RHSA-2020:1454 0 None None None 2020-04-14 13:22:16 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:27:20 UTC
Red Hat Product Errata RHSA-2020:2321 0 None None None 2020-05-26 16:10:04 UTC
Red Hat Product Errata RHSA-2020:2333 0 None None None 2020-05-28 15:59:34 UTC
Red Hat Product Errata RHSA-2020:2619 0 None None None 2020-06-19 01:47:18 UTC
Red Hat Product Errata RHSA-2020:2740 0 None None None 2020-06-24 14:14:04 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:55:35 UTC
Red Hat Product Errata RHSA-2020:3197 0 None None None 2020-07-29 06:22:37 UTC
Red Hat Product Errata RHSA-2020:3247 0 None None None 2020-08-04 13:15:49 UTC
Red Hat Product Errata RHSA-2020:3587 0 None None None 2020-09-01 14:41:20 UTC

Description Guilherme de Almeida Suckevicz 2019-10-31 14:38:08 UTC 
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Reference:
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Comment 1 Pedro Sampaio 2019-10-31 15:12:19 UTC 
Created apache-commons-beanutils tracking bugs for this issue:

Affects: fedora-all [bug 1767498]
Comment 2 Fabio Valentini 2019-10-31 15:23:30 UTC 
The page for the CVE entry [0] claims that this affects versions <= 1.9.3, so 1.9.4 does not have this issue - do I understand this correctly?

If so, we can just merge the 1.9.4 update that's already in rawhide to stable fedora releases as well.

[0]: https://nvd.nist.gov/vuln/detail/CVE-2019-10086
Comment 4 Summer Long 2019-11-11 04:52:21 UTC 
External References:

https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt
Comment 6 Paramvir jindal 2019-11-19 17:05:52 UTC 
RHSSO 7.3.4 ships commons-beanutils-1.9.3.redhat-1.jar seems to be affected as per the description. This flaw allows attacker to manipulate the class loader properties on server and I am not sure which all properties are exposed by RHSSO so creating the tracker and leaving it to dev team to take it further.
Comment 8 Kunjan Rathod 2019-11-21 09:03:25 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss SOA Platform 5
Comment 9 Kunjan Rathod 2019-11-21 09:04:13 UTC 
In reply to comment #8:
> This vulnerability is out of security support scope for the following
> products:
>  * Red Hat Enterprise Application Platform 6
>  * Red Hat Enterprise Application Platform 5
>  * Red Hat JBoss Operations Network 3
>  * Red Hat JBoss BPMS 6
>  * Red Hat JBoss BRMS 6
>  * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 17 Paramvir jindal 2019-12-11 10:06:33 UTC 
Both RHDM 7.5.1 and RHPAM 7.5.1 ships commons-beanutils-1.9.3.redhat-1.jar which seems to be affected so marking them as affected and creating trackers for them :

./standalone/deployments/decision-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar
./standalone/deployments/business-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar
Comment 24 errata-xmlrpc 2019-12-18 15:29:43 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2019:4317
Comment 25 Product Security DevOps Team 2019-12-18 20:09:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10086
Comment 30 errata-xmlrpc 2020-01-08 11:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0057
Comment 31 errata-xmlrpc 2020-01-21 19:12:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0194
Comment 34 errata-xmlrpc 2020-03-12 17:00:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
Comment 35 errata-xmlrpc 2020-03-12 17:01:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
Comment 36 errata-xmlrpc 2020-03-12 17:04:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
Comment 37 errata-xmlrpc 2020-03-12 17:05:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
Comment 39 errata-xmlrpc 2020-03-18 17:37:29 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
Comment 40 errata-xmlrpc 2020-03-23 20:13:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
Comment 41 errata-xmlrpc 2020-04-02 16:32:16 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3
  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308
Comment 42 errata-xmlrpc 2020-04-14 13:22:11 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 7

Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454
Comment 43 Chess Hazlett 2020-05-13 16:19:30 UTC 
Mitigation:

There is no currently known mitigation for this flaw.
Comment 44 errata-xmlrpc 2020-05-18 10:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 45 errata-xmlrpc 2020-05-26 16:09:58 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
Comment 46 errata-xmlrpc 2020-05-28 15:59:29 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
Comment 48 errata-xmlrpc 2020-06-19 01:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0 on EAP async

Via RHSA-2020:2619 https://access.redhat.com/errata/RHSA-2020:2619
Comment 49 errata-xmlrpc 2020-06-24 14:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.5 for RHEL 7

Via RHSA-2020:2740 https://access.redhat.com/errata/RHSA-2020:2740
Comment 50 errata-xmlrpc 2020-07-28 15:55:28 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Comment 51 errata-xmlrpc 2020-07-29 06:22:31 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197
Comment 53 errata-xmlrpc 2020-08-04 13:15:43 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
Comment 54 errata-xmlrpc 2020-09-01 14:41:14 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:3587 https://access.redhat.com/errata/RHSA-2020:3587
Note You need to log in before you can comment on or make changes to this bug.